Ottawa PC Users' Group, Inc.
 Product Review


Security check with WebTrends
by Chris Taylor

 

I have written several articles for the Ottawa PC News that touched at least a bit on how your computer is vulnerability to attack from folks on the Internet. The most common means of defending your computer is to use a personal firewall product or intrusion detection software such as BlackICE Defender, WinRoute, ZoneAlarm, Sybergen Secure Desktop, or Norton Internet Security.

But I have been asked before how to determine the level of risk and just how vulnerable your machine is. I wrote in the October 2000 issue of Ottawa PC News about using a port scanner to check your machine for open ports. But that only tells part of the story. To really see the complete picture, you need to use software designed to look for vulnerabilities beyond just simple open ports.

Generally, these packages are out of the financial reach of individuals. They typically are licensed on a per-year basis at rates running into the tens of thousands of dollars.

WebTrends has released their popular WebTrends Security Analyzer (WTSA) free for personal use. The free version allows you to scan up to ten hosts on your local subnet. You can download a copy from their Web site (www.webtrends.com) or from PUB II in the Miscellaneous Utilities file area. If you get it from PUB II, there are three files; wtsacons.exe (the main program), wtsaaw32.exe (the agent for Win32 machines. Required if you want to scan one machine from
another), and wtsadocs.pdf (the documentation in Adobe Acrobat format.

When you install WTSA and run it the first time, it offers to update itself from the WebTrends site. Let it do this, even if you download the program directly from WebTrends, as there will always be updates.

Be sure to review the documentation. This is a quite involved program and you are not likely to get the most from it simply by running it and trying it out. The documentation explains the program quite well and will help you make more effective use of WTSA.

I first ran WTSA on a stock Windows 2000 Professional machine running on FAT32 drives. It was in a workgroup (as opposed to belonging to a domain). I told WTSA to do a complete scan for all vulnerabilities and went away for supper while it chugged away.

When I returned, I was a little surprised to discover that WTSA had found 454 vulnerabilities; 36 high risk, 318 medium risk, and 100 low-risk. When I asked it to generate a complete report in Word format, the final document was 160- pages long!

I calmed down a bit once I started reading about the vulnerabilities found. Many of them were really just flagging possible issues. For example, TWSA found that Napster had been installed and stated "Users of Napster can seriously tie up your company's network bandwidth."

Some vulnerabilities were kind of unavoidable. WTSA noted that the guest account had access to various files and folders. Well, gee whiz, I am running Win2K on FAT32, so it is kind of hard to limit access. But it might make me rethink staying with FAT32, I guess.

WTSA did find lots of vulnerabilities I was not aware of and could fix, given a bit of time and effort. It found that the installed version of HyperTerminal had a buffer overflow problem. It found I was not protected against all the latest Internet Explorer exploits. WTSA also found "Distributed COM (DCOM) enabled". The details tab states "Distributed Component Object Model (DCOM) is a complex way of executing code on remote machines. It has been shown to be insecure. There are many attacks which exploit DCOM, so a secure system should disallow DCOM altogether." I am pretty sure I have no need for DCOM, so I should be able to disable it.

Some of the low risk vulnerabilities seemed downright bizarre. For example, by default Windows 2000 allows any program to access the files on a CD-ROM. Hmmm...I sort of wonder about the circumstances where this would truly be a problem. And what would happen if you decide to disable this behaviour?

Amusingly, one of the vulnerabilities was that it found WebTrends Security Analyzer Application and the details stated "The presence of unauthorized security scanners on your network could be an indication an unauthorized use of your resources for hacking. Hackers use security scanners to detect vulnerable systems. A secure corporate environment only allows the use of security scanners by authorized personnel."

You should be really careful about "fixing" the issues listed by WTSA. While it does a really good job of listing tons of things that might be a problem, it does not go out of its way to tell you when and where changes are really appropriate. If you were to close off all vulnerabilities, you will have killed an awful lot of the functionality of your computer.

Still, it is nice to know where potential problems are. WebTrends Security Analyzer is a terrific way to find where you may be at risk. In most cases, it presents a reasonable level of information about the vulnerabilities along with the means to eliminate the risk. A very interesting product and the price is certainly right!


Bottom Line:

WebTrends Security Analyzer (WTSA)
Proprietary Software
from Webtrends
Web site: http://www.webtrends.com


Copyright and Usage
Ottawa Personal Computer Users' Group (OPCUG), Inc.
3 Thatcher Street, Ottawa, ON  K2G 1S6

The opinions expressed in these reviews may not necessarily
represent the views of the OPCUG or its members.